Evaluation of Text Message Authentication Methods to Reduce Fraud

Context

Discover’s Fraud Product team was exploring changes to the text authentication experience—a critical process that helps verify customers and block fraudsters. The proposed update required customers to first reply Y or N to an initial text before receiving their one-time passcode. This extra step was designed to protect against scams where fraudsters trick customers into sharing authentication codes over the phone.

The Problem: The Fraud Product team emphasized the need for a 2-step SMS process, citing cases where customers had lost up to $100,000 to scammers. However, the Digital Experience team raised concerns: would the added step confuse most customers, increase frustration, and drive more calls to customer support?

To answer these questions, I led a two-phase research project.

  • Round 1: Evaluate whether the 2-step authentication process created confusion, increased cognitive load, or changed perceptions of security compared to competitors’ simpler 1-step process.

  • Round 2: Test an improved version of the message to see if clearer wording reduced confusion and strengthened customer confidence in security.

Tools: UserZoom

Method Used: Survey

Participants: 200 Participants

Timeline: 2 weeks

Round 1: How does a 2-step text compare to a 1-step text authentication process?

First, a competitive review was conducted on current text authentication processes of competitors to observe any industry standards for these messages:

🔑 The key takeaway from the competitive review was that a consistently among competitor’s authentication processes consisted of:

  1. Identification of the company that sent the code

  2. A note to not share the code with anyone else

✍🏼 As a result, the design was updated to incorporate these two industry standards.

Following the competitive review, a survey was conducted with 300 participants. Each participants saw 1 of the 3 text message interactions from 2 competitors or the proposed 2-step text message from Discover:

Citi

Chase

Discover

Participants were then asked to provide the identification code that was provided via text message to authorize their log-in attempt.

Key Takeaways

Confusion Around Inquiry

Finding: Nearly half of participants (44%) misinterpreted Discover’s fraud-prevention text message, which asked “Did someone call you and ask you for a verification code?” Only 56% answered correctly (“No, no one called me”).

Why it Happened:

  • Expectations misalignment: Participants were used to a one-step process and didn’t anticipate the extra confirmation.

  • Cognitive friction: The question required more interpretation than users expected in this flow.

  • Negative framing: The correct response was “No,” which felt counterintuitive since users are accustomed to confirming actions with “Yes.”

Perceived to be Less Secure

Finding: Participants were more likely to describe Discover’s text interaction with negative terms compared to competitors. Over 20% used words like suspicious, confusing, shady, and untrustworthy.

Why it happened: Participants’ comments suggest that the added step, though designed to improve security, instead created doubt:

  • Misaligned expectations: Users anticipated receiving a code directly, not a question about phone calls.

  • Perceived unnecessary complexity: The extra step felt confusing and out of place in a normally straightforward flow.

  • Eroded trust: Rather than reassuring users, the unusual wording and process led some to question Discover’s security practices.

Context = Peace of Mind

Finding: When ranking their preferred verification interactions, 44% of participants chose Chase as their top choice, while 53.7% ranked Discover as their least preferred. Participants favored Chase’s longer, more detailed message over Citi’s concise version, describing it as clearer, friendlier, and more legitimate.

Why it happened: Participant feedback suggests preferences were driven by:

  • Clarity and credibility: Chase’s extra detail (purpose of the code, what to do if unrequested, not to share the code) reinforced legitimacy and trust.

  • Expectation of simplicity: Despite perceiving Discover’s two-step process as potentially more secure, users disliked the added effort, calling it “weird” and “suspicious.”

  • Alignment with norms: Participants preferred the industry-standard, one-step process, even if it meant accepting some level of risk.

Impact

The research revealed that many customers misinterpreted the message and even viewed it as suspicious or confusing. Based on these findings, the team shifted course—rather than rolling the process out to all customers, they limited it to only the highest-risk cases identified by Discover’s fraud algorithms. This decision balanced fraud prevention with customer experience, directly informed by research insights.